I’ve been using expo build:ios in fully-automated mode with my Individual developer account for awhile with no problems (thanks for the great tool!)
Recently I was added as an App Manager to an Organization account, which is completely new territory for me, so I’m a little hesitant to just run expo build:ios here in case it could negatively impact the other apps on account.
So my first question is whether App Manager will have the required permission to allow expo build:ios to do its thing?
And (short of there being a bug) is there any danger to using it on on Organization account that has many other members, some of which may also be using expo build:ios for their own apps? Will we all co-exist nicely, or could there be trouble if there are other Expo users?
Edited to add: A bit of research into roles makes me think App Manager on its own may not be enough – I’d also need to be granted access to Certificates, Identifiers & Profiles.
So assuming I’m granted access, my original questions remain.
And if I’m not granted access, is there documentation around what steps to follow in that case (ie what do I do, what does someone with access to Certificates, Identifiers & Profiles need to do, etc)
In order to build the standalone app, you would need access to certificates, profiles, etc. (such as the Apple Distribution Certificate, Apple Provisioning Profile).
And I know of teams that use expo under their Organization accounts, so it should be more than safe. After running expo build:ios, you will sign in to the organization account, and then under a team ID as well.
Thanks @charliecruzan. I’ve been given access to certificates, etc, and have run into a new problem: You can have only three Apple Distribution Certificates generated on your Apple Developer account.
I’ve done a bunch of reading through Apple docs and expo-cli source, and while I understand that this has nothing to do with Expo, if you have a minute I would appreciate feedback on whether this makes sense:
Our Organization’s account owner should revoke one of the three distribution certificates, create a new one, and then share a password-protected .p12 with team members. I could then use this .p12 file when using build:ios
They should do the same for the push key, which the expo-cli source seems to indicate has a limit of 2.
If they are unsure how to do this, I could revoke a distribution certificate, use build:ios in fully-automatic mode, and then use fetch:ios:certs to retrieve the distribution cert and push key, which I could then give to our account owner so they can share with other team members.
I guess actually there are a couple Expo-related questions. If I use fetch:ios:certs, what do I send to the account owner?
Surely *_dist.p12 and “Distribution P12 password” are needed
What about *_dist_cert_private.key – I’m guessing the private key is embedded in the .p12, so this is not needed?
Also *_apns_key.p8 will be needed
What about “Push Key ID”?
Provisioning profiles are application specific, so *.mobileprovision is not needed
I don’t believe that the ‘problem’ you’ve run into is actually a problem, as according to this github issue, once you run into the Unable to add new certificate to your account (maximum number reached). Please delete one of your certificates or upload an existing one.
error message, you can safely revoke a valid certificate, while having no effect on apps in the store originally signed with that certificate
Additionally, running expo fetch:ios:certs pulls all the info you’d need (certs+passwords), meaning you can simply use this .p12 file for future builds.
If push notification key is used anywhere it shouldn’t be revoked, it’s authenticating the expo server with the apple push notification service so if you’ll revoke it, notifications will stop working. You need to download it from apple developer portal and pass path to it when build:ios command will ask you about it, Key id is visible in panel when you click on key.
Revoking a distribution certificate or a provisioning profile won’t affect apps that are already in store.
Thanks @charliecruzan – And yes, by problem I didn’t mean that it was a showstopping problem, just that if I revoke one of the 3 dist certs then it leaves some other developer unable to sign their next build, which is why I’m hoping I can get the account owner to manage a master set of dist certs that are distributed to the various developers.
I was actually able to get in touch with one of the developers, who exported me a .p12, so I was finally able to load the app into test flight. Which has uncovered another problem, but I’m going to do some more investigation first before possibly starting another thread
Thanks @wkozyra – in this case there were no push keys created yet, so nothing to revoke. That’s good to know that unlike the dist certs the push keys can be downloaded from the developer portal though – I was going to send the account owner the .p8 that I generated, but since they’ll already have access to it, I guess I don’t need to worry about that!
